Computer Administration Overview
Computer administration in EmpowerID brings computer objects under centralized governance, allowing administrators to onboard computers, control who can manage and access them, and perform Active Directory lifecycle operations — all through a unified interface without requiring direct access to each underlying directory system.
Access Control Model
EmpowerID uses three layers to control who can interact with computer objects:
Management Roles determine which administrators can manage computers in EmpowerID. Roles with the ACT prefix grant the ability to create, update, and delete computer objects; VIS roles control visibility; and UI roles grant access to the management interfaces. See Access Needed to Manage Computers.
Access Levels grant specific operations to users or groups for individual computers — such as approving access requests, assigning shared credentials, or managing computer settings. See Grant Access to Manage Specific Computers.
Eligibility controls which users can discover and request access to computers published in the IAM Shop. Users must be configured as eligible assignees before they can see or request a computer. See Configure Eligibility for Computers.
Computer Onboarding and Configuration
The Onboard Computer wizard integrates computers into EmpowerID and configures their access settings in a single workflow. During onboarding you can:
- Register the computer with its DNS name, platform, operating system, and type
- Publish it to the IAM Shop and configure RDP or SSH connection settings
- Set the access request policy governing credential management and approval
- Assign owners, a responsible party, and deputies
- Configure initial eligibility for IAM Shop access
- Vault credentials and optionally assign a gateway computer for privileged sessions
Computers inventoried from Active Directory are assigned to default locations automatically. You can move them to locations that better reflect your organizational structure after onboarding. See Onboard Computers and Assign Computers to Locations.
IAM Shop Access Configuration
When a computer is published to the IAM Shop, IAM Shop Permission Levels define which permissions users can request when connecting to it. Each permission level maps to a native system group on the computer, such as a local administrators group. EmpowerID includes default Local Admin and Domain Admin levels; organizations can create custom levels to meet specific requirements.
Permission levels can be combined with Just-In-Time (JIT) provisioning, which automatically creates a temporary account at the start of a session and removes it when the session ends. This ensures no standing privileged accounts exist outside of active sessions.
For session management — initiating, monitoring, and terminating privileged sessions — see the Privileged Session Management section.
Computer Lifecycle Operations
EmpowerID provides standard directory lifecycle operations for computer objects in Active Directory:
- Move – Relocate computers between organizational units
- Enable / Disable – Control whether a computer account can authenticate with the domain without deleting the object
- Delete – Remove a computer from Active Directory (recoverable within the tombstone lifetime period)
- Restore – Recover a deleted computer from the Deleted Objects container
- Reset Password – Reset the computer account password for security maintenance or authentication troubleshooting
Getting Started
Before managing computers in EmpowerID, confirm that your account has the required permissions. Start with Access Needed to Manage Computers, then follow the sequence below:
- Confirm access – Ensure you have the required Management Roles and Access Levels
- Onboard computers – Register computers in EmpowerID and configure access settings
- Assign to locations – Place computers in the appropriate organizational locations
- Configure access control – Set up eligibility, permission levels, and JIT provisioning for IAM Shop access
- Perform lifecycle operations – Move, enable, disable, delete, or restore computers as needed